[Freeipa-users] Certificate system unavailable

Sigbjorn Lie sigbjorn at nixtra.com
Mon Jan 13 17:25:14 UTC 2014 



On Mon, January 13, 2014 16:17, Rob Crittenden wrote:
> Sigbjorn Lie wrote:
>
>> Hi,
>>
>>
>> Thank you for your prompt reply Rob.
>>
>>
>>
>> On Mon, January 13, 2014 15:58, Rob Crittenden wrote:
>>
>>> Sigbjorn Lie wrote:
>>>
>>>
>>>> Hi,
>>>>
>>>>
>>>>
>>>> I seem to have issues with the certificate system on my IPA installation. Looking up hosts
>>>> in the IPA WEBUI on any of the IPA servers says "Certificate format error: [Errno -8015]
>>>> error (-8015)
>>>> unknown".
>>>>
>>>> I also notice that hosts says the certificate system is unavailable.
>>>>
>>>>
>>>>
>>>> certmonger: Server failed request, will retry: 4301 (RPC failed at server.  Certificate
>>>> operation cannot be completed: Failure decoding Certificate Signing Request).
>>>>
>>>>
>>>> Looking at the pki-ca logs on the ipa servers I see that some selftest failed:
>>>>
>>>>
>>>>
>>>> # tail -100 selftests.log
>>>> 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: Initializing self test
>>>> plugins:
>>>> 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading all self test
>>>> plugin logger parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:
>>>>  loading all self test plugin instances 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1]
>>>> SelfTestSubsystem:  loading all self test plugin
>>>> instance parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:
>>>> loading self test plugins in on-demand order 28697.main - [13/Jan/2014:15:06:33 CET] [20]
>>>> [1]
>>>> SelfTestSubsystem:  loading self test plugins in
>>>> startup order 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: Self test
>>>> plugins have been successfully loaded! 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1]
>>>> SelfTestSubsystem: Running self test plugins
>>>> specified to be executed at startup: 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1]
>>>> CAPresence:
>>>> CA is present
>>>> 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SystemCertsVerification: system certs
>>>> verification failure 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SelfTestSubsystem: The
>>>>  CRITICAL self test plugin
>>>> called selftests.container.instance.SystemCertsVerification running at startup FAILED!
>>>>
>>>> the pki-cad service is running and "pki-cad status" displays the ports available.
>>>> /etc/init.d/pki-cad status
>>>> pki-ca (pid 28697) is running...                           [  OK  ]
>>>>
>>>>
>>>> My main consern is that the certmonger requests for renew of certificates for LDAP on 2 out
>>>> of 3
>>>> of the IPA servers has failed, and the current certificate is expiring the 19th of January,
>>>> under a week from now.
>>>>
>>>> Do you have any suggestions to where I can start troubleshootng this issue?
>>>>
>>>>
>>>
>>> Check the trust on the audit certificate:
>>>
>>>
>>>
>>> # certutil -L -d /var/lib/pki-ca/alias/
>>> ...
>>> auditSigningCert cert-pki-ca                                 u,u,Pu
>>
>> All the 3 ipa servers return u,u,Pu for auditSigningCert
>>
>>
>> # certutil -L -d /var/lib/pki-ca/alias/
>>
>>
>> Certificate Nickname                                         Trust Attributes
>> SSL,S/MIME,JAR/XPI
>>
>>
>> caSigningCert cert-pki-ca                                    CTu,Cu,Cu Server-Cert cert-pki-ca
>> u,u,u auditSigningCert cert-pki-ca                                 u,u,Pu ocspSigningCert
>> cert-pki-ca                                  u,u,u subsystemCert cert-pki-ca
>> u,u,u
>>
>>>
>>> If the trust is not u,u,Pu then you can fix it with:
>>>
>>>
>>>
>>> # certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca'
>>> -t u,u,Pu
>>>
>>>
>>>
>>> Then restart the CA and it should be ok.
>>>
>>>
>>
>> I have restarted the dirsrv for PKI-IPA, and the pki-cad service on all 3 IPA servers.
>>
>>
>>>
>>> What is the status on the failed certmonger requests?
>>>
>>
>> After I restarted dirsrv, pki-cad and then the httpd on ipa01 the status of the request is now:
>>
>>
>> Request ID '20120119194518':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: 907 (RPC failed at server.  cannot connect to
>> 'https://ipa01.dns.domain:443/ca/agent/ca/displayBySerial': [Errno -12269]
>> (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-DNS-DOMAIN',nickname='Server-Cert',token='NSS
>> Certificate
>> DB',pinfile='/etc/dirsrv/slapd-DNS-DOMAIN//pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-DNS-DOMAIN',nickname='Server-Cert',token='NSS Certificate
>> DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=DNS-DOMAIN
>> subject: CN=ipa01.dns.domain,O=DNS-DOMAIN
>> expires: 2014-01-19 19:45:18 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: post-save command: track: yes
>> auto-renew: yes
>>
>>
>> However I cannot find the certificate that's expired?
>>
>
> Can provide the output of getcert rather than ipa-getcert? It will show
> additional certificates that are issued/renewed outside of the IPA API.
>
> rob
>
>

Sure, I'll send you the output in private so I don't have to remove the domain names.

Regards,
Siggi

More information about the Freeipa-users mailing list